Rachna Chaudhari is the AAD's practice management manager. Her column offers tips in response to common member questions.

Each month Dermatology World tackles issues “in Practice” for dermatologists. This month Rachna Chaudhari, the Academy’s practice management manager, offers tips on an area she commonly receives questions about from members.

By Rachna Chaudhari, October 01, 2013

Dermatologists are entering a new landscape of ever-increasing audits. They are being hit with Recovery Audit Contractor (RAC) audits for their Medicare billings, HIPAA audits for their protection of their medical records, and numerous other audits affecting their business practices. The Electronic Health Record (EHR) Incentive Program only adds to this mix of audits with the recent implementation of meaningful use audits. The Centers for Medicare and Medicaid Services (CMS) has begun pre- and post-payment audits on at least 5 percent of physicians attesting for meaningful use, and the agency is legally able to audit for up to six years after a physician attests.

CMS has stated that all meaningful use audits are performed either by random selection or based on anomalous data, such as inconsistent denominators for measures. Atlanta West Dermatology, located in Georgia, was targeted at random for a meaningful use pre-payment audit. Holley Garrett, CPM, CPC, CDC, the practice’s administrator, was first notified of the audit in April. “CMS notified our practice of the audit by sending a formal audit letter from the law firm of Figliozzi and Company to the email address we supplied when we attested for meaningful use,” she said. (An example of a formal audit letter is found at www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SampleAuditLetter.pdf.) “If the email address you entered during attestation is not accurate, your practice will not be notified by any other method and CMS will automatically recoup the meaningful use payment if no response is given within three weeks. So it is important to ensure that the email address you enter during attestation is one which is regularly checked and doesn’t filter out CMS emails,” she warned. [pagebreak]

Once a practice is notified of an impending audit, it is prudent to assign a staff member to oversee the process. CMS will require additional documentation for each meaningful use measure as well as supporting documentation for each numerator and denominator value. The auditor will expect to receive the formal meaningful use report generated by the EHR system in addition to screenshots validating specific measures. Garrett noted that “the screenshots must show the physician’s name, EHR vendor’s logo and/or product name to verify certification, as well as a date stamp to show the measure occurred during the EHR reporting period.” Her practice also had to send a letter from the EHR vendor stating that the system was certified for the full year during which the meaningful use measures were reported. CMS has posted guidance on additional documentation and examples of screenshots at www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf.

The auditing agency will expect to receive all supporting documentation via a portal on its website or via first class mail. It is the practice’s responsibility to ensure the materials are in a readable format, and the auditor does not give an expected response time, according to Garrett. Her auditor did not respond until one month after her initial submission and the whole process took almost four months before she received notice that she had passed. It took another 30 60 days for the practice to actually receive payment. She also had to send in additional documentation when the auditor requested more information on specific measures. “It is important to realize that the auditor is not familiar with our way of practice. Don’t assume they know more about meaningful use than you,” she said. She noted that her practice had to send in additional letters from the physician explaining why she was claiming an exclusion for specific measures, clarification of various ICD-9 codes, and copies of all of the practice’s HIPAA training materials as well as business associate agreements to show the practice was meeting the security risk analysis measure. For additional help on preparing documentation for a meaningful use audit, your practice can also contact your HIT regional extension center at www.healthit.gov/providers-professionals/regional-extension-centers-recs#listing.

Fortunately, Garrett’s practice was successful in passing its audit; however, it took a significant amount of time and work for her to gather all of the relevant documentation. She advises that practices ensure that they are backing up their attestation with relevant documentation in the form of screen shots or explanatory statements and pay close attention to the security risk analysis measure. As the meaningful use program is only expected to grow exponentially over the next several years, these types of audits will only increase and cause further regulatory pressures on practices. [pagebreak]

Maintaining and documenting compliance

Take the following steps to insure you are remaining compliant with all aspects of the meaningful use program.

Obtain a letter from your EHR vendor stating which product you have, the certification ID, and the dates it was installed in your office.

Periodically check the email you provided during the attestation process for any auditing communication.

Print a copy of your meaningful use report along with the physician’s name, EHR vendor product name, and date stamp. Review it for any errors.

Document non-percentage-based measures with screenshots showing the action occurring along with a date stamp, physician’s name, and EHR vendor logo.

Document percentage-based measures with a report showing each relevant numerator and denominator along with a date stamp, physician’s name, and EHR vendor logo.

Prepare a written explanation for each measure your physician is excluded from along with a report showing a zero denominator if applicable.

Prepare copies of all relevant security risk analysis documents including business associate agreements, policies, and procedures.